<Vulnerability name="CVE-2026-14739">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-07-07T22:05:18</PublicDate>
    <Bugzilla id="2497916" url="https://bugzilla.redhat.com/show_bug.cgi?id=2497916" xml:lang="en:us">
DBI: DBI: Heap overflow when preparsing SQL statements with excessive placeholders
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>8.1</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-131</CWE>
    <Details xml:lang="en:us" source="Mitre">
DBI versions before 1.650 for Perl have a heap overflow when preparsing SQL statements with an extreme number of placeholders.

The fix for CVE-2026-10879 did not allocate enough memory to handle approximately 1.2-million placeholders.

DBI version 1.650 sets a hard limit of 99,999 placeholders.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in DBI for Perl. This vulnerability, a heap overflow, occurs when the software attempts to preparse SQL statements containing an extremely large number of placeholders. This could allow a remote attacker to cause a denial of service or potentially execute arbitrary code.
    </Details>
    <Statement xml:lang="en:us">
This vulnerability in DBI for Perl is rated as Important. A heap overflow can occur when processing SQL statements with an exceptionally large number of placeholders, potentially leading to a denial of service or arbitrary code execution. While requiring an extreme number of placeholders, this flaw could impact applications utilizing DBI in Red Hat environments that handle untrusted or maliciously crafted SQL queries.
    </Statement>
    <Mitigation xml:lang="en:us">
Applications utilizing `perl-DBI` should implement robust input validation and limit the number of parameters used in SQL query placeholders, particularly when processing untrusted data. This operational control can prevent the construction of SQL statements with an excessive number of placeholders, thereby reducing the risk of triggering the heap overflow vulnerability.
    </Mitigation>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:10">
        <ProductName>Red Hat Enterprise Linux 10</ProductName>
        <FixState>Affected</FixState>
        <PackageName>perl-DBI</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:6">
        <ProductName>Red Hat Enterprise Linux 6</ProductName>
        <FixState>Affected</FixState>
        <PackageName>perl-DBI</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:7">
        <ProductName>Red Hat Enterprise Linux 7</ProductName>
        <FixState>Affected</FixState>
        <PackageName>perl-DBI</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>perl-DBI</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:8">
        <ProductName>Red Hat Enterprise Linux 8</ProductName>
        <FixState>Affected</FixState>
        <PackageName>perl-DBI:1.641/perl-DBI</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/o:redhat:enterprise_linux:9">
        <ProductName>Red Hat Enterprise Linux 9</ProductName>
        <FixState>Affected</FixState>
        <PackageName>perl-DBI</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-14739
https://nvd.nist.gov/vuln/detail/CVE-2026-14739
https://github.com/perl5-dbi/dbi/commit/2b77c88b655e9539a592c71a61fb965fc0075395.patch
https://metacpan.org/release/HMBRAND/DBI-1.650/changes
https://www.cve.org/CVERecord?id=CVE-2026-10879
    </References>
</Vulnerability>